Created attachment 6901[details]
Prevent buffer overflow when directory contents change
The dirsort vfs plugin opens the directory and reads all entries to count
them and figure out how much data to allocate; it then uses rewinddir()
and reads the entries again, this time copying them into the allocated
buffer. The problem is that the second time through you're not guaranteed
to get the same list of entries - if a new file/directory was created in
the mean time then readdir() will return that new entry too and the code
will attempt to write more into the buffer than it allocated space for.
The following little test demonstrates this behaviour:
-------------------------------------------------------------
#include <stdio.h>
#include <dirent.h>
#include <unistd.h>
#include <sys/stat.h>
#define DIR_PATH "/tmp/rewinddir_test"
#define NEW_FILE (DIR_PATH "/foobar")
int main() {
DIR *dir;
int cnt;
/* set up test directory */
mkdir(DIR_PATH, 0755);
dir = opendir(DIR_PATH);
/* first read of directory */
cnt = 0;
while (readdir(dir))
cnt++;
printf("first pass: num-files=%d\n", cnt);
/* create new file and rewind */
fclose(fopen(NEW_FILE, "a"));
rewinddir(dir);
/* second read of directory */
cnt = 0;
while (readdir(dir))
cnt++;
printf("second pass: num-files=%d\n", cnt);
/* clean up */
closedir(dir);
unlink(NEW_FILE);
rmdir(DIR_PATH);
return 0;
}
-------------------------------------------------------------
The attached patch fixes this by breaking out of the loop if we would
write too much into the buffer.